 Hello everybody on the internet. Welcome. Hello. This is another video for BCACTF. I'm here with Sinister Matrix, The Shoulder Man Beside Me, and we're taking a look at this Basic Pass 3. This is the third challenge in a series of Basic Pass. Originally they give you a couple binaries and you're able to download them and work with them, reverse engineer them, and Katana just cuts right through them. So this challenge does not give you a binary, instead it only gives you a netcat connection. It says, okay, the sysadmin finally admits that maybe authentication should happen on a server. Can you just check everything really quickly to make sure there aren't any problems? You put out some readouts for people who forget their passwords. So if we go to a terminal and connect here, it says welcome to the login portal. Please enter the password. So I'll just say please subscribe and it just gives me a bunch of zeros. Let me just say like anything without a nonsense. What? That one had a one in there. I don't know why. So if we just like try the flag format, ah, it gives us a bunch of ones. One, one, one, one. And those are all in line. With how the flag format is. Yeah. Yeah. Totally in line with the flag format. Okay. So maybe we, is that the case if we like have something wrong? Like B, C, A, T, C, T, X, and a call in there. Okay. So the zero will tell me that that is the wrong character. And one seems to give you the correct character. So I'm guessing this is what it meant with, it'll give you password readouts for those who have forgotten their password. Okay. Yeah, yeah, yeah. Okay. So all we need to do is just script this and we can like figure this out with a little smart brute force method, right? Let's create a script to run through this. I'll use Python and PON tools as I usually do. Kind of typing sideways here. So forgive me. We'll say host and port can equal these guys that we paste it in. Let's go ahead and import PON though. We'll say s can equal a remote connection of this host and port. And then we'll go ahead and close that just for good practice. So let's print. Oh, what do we have when we connect to it? So as enter the password with a period in a new line. So we want to get s dot receive until that string. Yeah. And we totally want the new line here. So that would give us our prompts. We should probably keep track of what we have so far of a flag. So if we say BCACTF, and we also want all the principal characters that we're going to iterate through, right? So from string import printable, what can we do? Let's, let's get like one prototype going. Let's send the flag I'll put together. And then let's receive into it again. Let's print what we've got. So if I run this gives me this probably another line it looks like. So let's if we split this by new lines. Yeah, yeah. Okay, cool. Then we can get the first piece. And that's that. So let's do a clever Python trick, because normally you could do like a Oh, if flag dot starts with what it returned, blah, blah, blah. But since these are all numbers, we have to do something a little bit more clever. At least if we wanted to be quick, let's let's let's say response can equal this. And then we'll get the part of it, which will equal the response cut up till the length of the flag that we have thus far. So if I were to print out that part, we have all those ones. And if I were to actually go ahead and convert those all to integers, totally erased half of the scriptures there for x in part. Now we have a list of those numbers. So if I had a bad character in here, all those zeros would still be present. And that would no longer match a wrap around with the all function here. So all with those zeros in place will give me false. But if I didn't have those bad characters, it would tell me true. So everything this far is correct. That can be an easy trigger to determine whether or not we've got the right character or not. Yep. So that way we all get is aiming for all the ones in that list. And anything any zero in that list will cause it to false to go false. Yeah. And that way we can start to put together our brute force attack. Because if we were to, let's give it some nonsense first, trying to get the timing correctly with what we send first versus what we then second so we can get the correct prompt. Let's do four. How long is the original string supposed to be? If we give it nonsense, all of this is lost it. That is 38 characters shown by sublime text on the bottom. So while the length of our flag is less than or equal to 38, we can loop through characters. So for in printable, let's say that our new like thing to send right would be the flag that we have thus far with the character that we're adding in. And then so pretty much we're iterating through after we already have the flag partially input, we're iterating through all the printable characters that come in that list. Yep. And then we send the new piece. So then let's determine what the part is. So let's see what our response is. And I'll do this in a terminal so it won't be a complete disaster in sublime text connection. Okay, now it's running and we're getting the correct prompt. It'd be worthwhile to see if we actually get a one in there. Oh, there we do. Okay, cool. So we know we potentially have the right character. Now we just need to go ahead and rather than getting the flag length, we want to get the new length because that will include that current character. And then good or whatever can equal all on that. So if good, as in that true statement came along, then we can just add the current character we're looking at to our flag. Actually, see might change by that time. So let's let's let's do let's print out some debugging information. While we're doing that, let's print out our flag thus far, put our flag together because it's a list. Let's break out if otherwise we can just continue one word. So we don't really even need that. So else. Let's actually just yeah, we will print out I guess what we're working with here. Let's get the part and new. Let's see how we look. So all of those are wrong. However, there's a why that's coming through a you that's coming through. Okay, starting to looks like it's leaking out just fine. Yep, starting to brute our way through the final flag. Heck yeah. Well, we can just let this run. Yeah, really. All right, so I will pause the recording and we'll get back to you. As soon as we have a fully leaked out flag. Okay, so it crapped out. We can assume just before it ended on the ending curly brace that is our entire flag. So if we were to connect cat into it and submit that it tells us correct. So that is the flag. We could submit that for some points. But that is how we could track that down brute force that challenge. And I hope that was kind of cool. I hope that was kind of fun. I really like and I'm kind of pleased with that all trick. Because that way you don't have to worry about whatever starts with or tracking down the correct character rendition of it. It just helps you maintain that zero to one numeric stance. And it also treats that as like a little Boolean factor for you. All you have to do is really evaluate with the integer form of what it's giving you back given how many parts you found thus far. So I hope that was cool. Not sure why it crapped out really, but I think it had to do with our tethering. I'm guessing it might be. It might be the less than or equal to or how it received it tried to receive something that it couldn't have after it sent out correct or something. But hey, we got that flag and that was a cool challenge. So all right. Thanks for watching guys. If you like this video, please do like comment and subscribe. Love to see you in the discord server. There is a link in the description. You can hang out with me. You can hang out with sinister matrix. Yep. And love to see you on Patreon. Love to see you on PayPal. Thank you so much for all your support. I'm grateful for your generous help. All right. See you guys.